Fraudsters Increasingly Turning to SS7 Hijacking

There is no shortage of cyber-threats today. All Internet-connected devices are at risk, and as users become more savvy, fraudsters are having to get more sophisticated, and the usual safeguards (who is the call/message from? Where is it originating?) are less reliable, since hackers are now exploiting vulnerabilities in the SS7 mobile signaling protocol so that they can spoof user locations and even hijack calls and messages.

Last year, security researchers at Positive Technologies found they were intercepting messages and responding as if they were the intended recipient in services such as WhatsApp or Telegram, according to John Leyden writing for the UK newspaper The Register. Fraudsters could use these interceptions to receive reset codes sent by text, for example, and complete takeovers of accounts for the purpose of identity fraud.

“This is not a man in the middle attack: instead, the attacker is actually impersonating the victim's identity,” he wrote. “The mechanism of the attack renders encryption offered by the apps irrelevant.”

Companies and individuals are gaining access to SS7 networks for supposedly legitimate purposes and then reselling access to fraudsters or hackers – sometimes even on a subscription basis, according to Keith Dyer writing for The Mobile Network. Steve Buck of Evolved Intelligence told Dyer that operators and security companies have seen fraudulent exploits of SS7 signaling networks increase in the past 12-18 months, prompting groups like the GSMA to get involved in writing specifications to guard against attack. Up until now, major operators have been aware of the potential for brand damage caused by SS7 vulnerabilities, but there has been less focus on fraud, Buck told TMN.

“This is not just a security problem, it is a fraud problem,” he said.

Last year, researcher Karsten Nohl of the Communications Security Risk & Interoperability Council (CSRIC) demonstrated the vulnerabilities in SS7 by staging a fake “attack” on the cellphone of Congress member David Lieu as an exercise during a working group of the CSRIC, which then prepared a report of its findings to the Federal Communications Commission (FCC). The working group recently submitted its recommendations, noting that operators should continue to implement firewall methods to protect from attacks, but also that there should be more information sharing within the industry on attacks.

As high profile organizations such as banks have tightened their own security procedures to protect against attacks by internal fraud and social engineering, fraudsters have switched their attention to dedicated communications networks such as SS7, which is making it necessary for companies to turn to SS7 firewall products.

“Another reason for the shift is that operators were previously able to ring-fence access to SS7 hubs to a small range of trusted partners,” wrote Dyer. “But with a larger number of companies benefiting from a direct connection to the signaling layer, it has become harder to police access.”